Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 598074 - SELinux is preventing /usr/bin/gdb "read" access on libnpjp2.so.
Summary: SELinux is preventing /usr/bin/gdb "read" access on libnpjp2.so.
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Fedora
Classification: Fedora
Component: abrt
Version: 13
Hardware: x86_64
OS: Linux
low
medium
Target Milestone: ---
Assignee: Nikola Pajkovsky
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: setroubleshoot_trace_hash:b90a1fb1e98...
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2010-05-31 11:35 UTC by Christofer Bertonha
Modified: 2014-02-02 22:14 UTC (History)
10 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2010-08-03 14:34:53 UTC


Attachments (Terms of Use)

Description Christofer Bertonha 2010-05-31 11:35:26 UTC
Summary:

SELinux is preventing /usr/bin/gdb "read" access on libnpjp2.so.

Detailed Description:

SELinux denied access requested by gdb. It is not expected that this access is
required by gdb and this access may signal an intrusion attempt. It is also
possible that the specific version or configuration of the application is
causing it to require additional access.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Please file a bug
report.

Additional Information:

Source Context                system_u:system_r:abrt_t:s0-s0:c0.c1023
Target Context                unconfined_u:object_r:admin_home_t:s0
Target Objects                libnpjp2.so [ file ]
Source                        gdb
Source Path                   /usr/bin/gdb
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           gdb-7.1-22.fc13
Target RPM Packages           
Policy RPM                    selinux-policy-3.7.19-21.fc13
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Plugin Name                   catchall
Host Name                     (removed)
Platform                      Linux (removed)
                              2.6.33.4-95.fc13.x86_64 #1 SMP Thu May 13 05:16:23
                              UTC 2010 x86_64 x86_64
Alert Count                   3
First Seen                    Sun 30 May 2010 10:42:25 PM BRT
Last Seen                     Sun 30 May 2010 10:42:25 PM BRT
Local ID                      540d8f0d-a762-4d09-a5a3-4d061f2d9562
Line Numbers                  

Raw Audit Messages            

node=(removed) type=AVC msg=audit(1275270145.987:22541): avc:  denied  { read } for  pid=10293 comm="gdb" name="libnpjp2.so" dev=dm-0 ino=525314 scontext=system_u:system_r:abrt_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:admin_home_t:s0 tclass=file

node=(removed) type=SYSCALL msg=audit(1275270145.987:22541): arch=c000003e syscall=2 success=no exit=-13 a0=7fff9acecb20 a1=0 a2=6f732e a3=f items=0 ppid=1480 pid=10293 auid=4294967295 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=4294967295 comm="gdb" exe="/usr/bin/gdb" subj=system_u:system_r:abrt_t:s0-s0:c0.c1023 key=(null)



Hash String generated from  catchall,gdb,abrt_t,admin_home_t,file,read
audit2allow suggests:

#============= abrt_t ==============
allow abrt_t admin_home_t:file read;

Comment 1 Daniel Walsh 2010-06-01 14:11:30 UTC
Abrt should not be looking at files in users homedirs or /root.

Comment 2 Jiri Moskovcak 2010-06-01 15:09:51 UTC
It was probably some plugin installed in ~HOME, ABRT would have to parse the corefile and doesn't run gdb if some loaded library is in ~HOME.

J.

Comment 3 Nikola Pajkovsky 2010-06-01 15:15:11 UTC
Yes it is. Java 64-bit.

Could you send me your coredump directly to me?

Comment 4 Daniel Walsh 2010-06-01 15:20:09 UTC
I can add a dontaudit for reads of /root and ~/.  I do not want this tool to be
able to read content, that is of little/no use to it.  
  

Miroslav can you add an interface 

userdom_dontaudit_read_admin_home_files(abrt_t)

Comment 5 Miroslav Grepl 2010-06-01 15:28:09 UTC
(In reply to comment #4)
> I can add a dontaudit for reads of /root and ~/.  I do not want this tool to be
> able to read content, that is of little/no use to it.  
> 
> 
> Miroslav can you add an interface 
> 
> userdom_dontaudit_read_admin_home_files(abrt_t)    

Added to selinux-policy-3.7.19-23.fc13.

Comment 6 Nikola Pajkovsky 2010-06-01 15:55:19 UTC
Also run please

cat /var/*/abrt/*/executable


Note You need to log in before you can comment on or make changes to this bug.